Outlaw
Outlaw is a long-running Linux-focused botnet and hacking group, also referred to in reporting as Shellbot and Dota. Trend Micro first identified the group in 2018. The activity described in the provided content targets Linux and Unix servers, vulnerable servers, and IoT devices, with reported targeting of organizations in the United States and Europe, including possible automotive and finance victims. Observed tradecraft includes SSH and Telnet brute-force attacks using weak credentials, exploitation of CVE-2016-8655 and Dirty COW (CVE-2016-5195), and use of PHP web shells. A recurring and well-documented persistence mechanism is replacement of ~/.ssh/authorized_keys with an attacker-controlled RSA public key carrying the comment string "mdrfckr," often preceded by commands such as chattr -ia .ssh and lockr -ia .ssh to remove file protections. Multiple reports in the content associate this key-write playbook and the authorized_keys artifact with SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 to Outlaw/Shellbot activity. The group’s post-compromise behavior includes reconnaissance commands such as uname -a or uname -s -v -n -r -m, collection of host intelligence, password changes, and cleanup/removal of competing miners and prior infections. Outlaw deploys Shellbot disguised as rsync for evasion, uses cron jobs and looping scripts for persistence, and has operated large-scale scanning from command-and-control infrastructure. Reporting in the content also describes monetization through cryptojacking, including miner deployment and removal of competing miners, and notes Android TV mining-related APK/ADB artifacts in one campaign. Historical reporting in the content ties Outlaw/Shellbot activity to evolving libssh-based SSH client fingerprints, including older libssh 0.6.x and 0.9.x generations and a 2026 cluster using banner SSH-2.0-libssh_0.11.1 with hassh 03a80b21afa810682a776a7d42e5e6fb. The content emphasizes that more stable identifiers for this actor include the "mdrfckr" key comment, the authorized_keys artifact hash, and the established SSH persistence and recon command sequence. Known aliases: Shellbot, Dota.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- AR
- BR
- ID
- KR
- US
- VN
Tradecraft
21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
This time, the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit (CVE-2016-5195) as attack vectors.
This time, the group explored unpatched systems vulnerable to CVE-2016-8655 ... as attack vectors.
Observables
15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A long-running botnet campaign conducting opportunistic SSH compromise activity worldwide. In the observed activity, infected nodes attempted to replace .ssh directories, add the same attacker-controlled SSH public key with the comment 'mdrfckr' into authorized_keys, and establish persistent backdoor access on newly compromised hosts.
Long-running SSH botnet/crypto-botnet activity using the stable 'mdrfckr' authorized_keys persistence artifact, brute-force SSH logins with a fixed credential dictionary, account hijacking via chpasswd, reconnaissance, and competitor-cleanup commands. The April 2026 observation shows the same campaign updating its SSH client tooling to libssh 0.11.1 while retaining the same persistence key and playbook.
Linux-focused botnet using SSH brute-force, worm-like propagation, and cryptomining deployment.
Referenced as a historically documented Linux botnet operation whose playbooks (SSH brute-force, automated staging, IRC coordination, cron persistence) resemble SSHStalker; the content explicitly states there is no direct evidence tying this activity to Outlaw and suggests SSHStalker may be a derivative/copycat/adjacent operator.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.